Abstract
Most online communications rely on DNS to map domain names to their hosting IP address(es). Previous work has shown that DNS-based network interference is widespread due to the unencrypted and unauthenticated nature of the original DNS protocol. In addition to DNS, accessed domain names can also be monitored by on-path observers during the TLS handshake when the SNI extension is used. These lingering issues with exposed plaintext domain names have led to the development of a new generation of protocols that keep accessed domain names hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain name in the SNI extension.
We present DNEye, a measurement system built on top of a network of distributed vantage points, which we used to study the accessibility of DoT/DoH and ESNI, and to investigate whether these protocols are tampered with by network providers (e.g., for censorship). Moreover, we evaluate the efficacy of these protocols in circumventing network interference when accessing content blocked by traditional DNS manipulation. We find evidence of blocking efforts against domain name encryption technologies in several countries, including China, Russia, and Saudi Arabia. At the same time, we discover that domain name encryption can help with unblocking more than 55% and 95% of censored domains in China and other countries where DNS-based filtering is heavily employed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Freedom on the Net (2020). https://freedomhouse.org/countries/freedom-net/scores
ICANN Centralized Zone Data Service. https://czds.icann.org
Luminati proxy service. https://luminati.io
Anecdote: DNS over TLS has stopped working (2021). https://web.archive.org/web/20210329194856/forum.manjaro.org/t/dns-over-tls-has-stopped-working/56422
Cloudflare DoT. https://developers.cloudflare.com/1.1.1.1/encrypted-dns/dns-over-tls (2021)
How to enable or disable the VPN relay function on VPN gate client? (2021). https://www.vpngate.net/en/join_client.aspx
Alenezi, R., Ludwig, S.A.: Classifying DNS tunneling tools for malicious DoH traffic (2021)
Anonymous: towards a comprehensive picture of the great firewall’s DNS censorship. In: Free and Open Communications on the Internet. USENIX (2014)
Baheux, K.: A safer and more private browsing experience with secure DNS. https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html (2020)
Basso, S.: Measuring DoT/DoH blocking using OONI probe: a preliminary study. In: NDSS DNS Privacy Workshop (2021)
Bock, K., Hughey, G., Qiang, X., Levin, D.: Geneva: evolving censorship evasion strategies. In: ACM Conference on Computer and Communications Security (2019)
Chen, C.: Russia wants to outlaw ESNI, DoT, and DoH. https://www.privateinternetaccess.com/blog/russia-wants-to-outlaw-tls-1-3-esni-dns-over-https-and-dns-over-tls
Chai, Z., Ghafari, A., Houmansadr, A.: On the importance of Encrypted-SNI (ESNI) to censorship circumvention. In: USENIX FOCI (2019)
Cimpanu, C.: Apple adds support for encrypted DNS (DoH and DoT). https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/ (2020)
Cornell, J.: How to enable DNS Over HTTPS in microsoft edge. https://www.howtogeek.com/660157/how-to-enable-dns-over-https-in-microsoft-edge/ (2020)
Csikor, L., Singh, H., Kang, M.S., Divakaran, D.M.: Privacy of DNS-over-HTTPS: requiem for a dream? In: IEEE EuroS&P (2021)
Dierks, T., Rescorla, E.: Transport layer security protocol V1.2. RFC 5246, IETF (2008)
DNS, K.: kdig - Advanced DNS lookup utility (2020). https://www.knot-dns.cz
DNS over HTTPS: DOH (2020). https://github.com/curl/curl/wiki/DNS-over-HTTPS
Duan, H., et al.: Hold-on: protecting against on-path DNS poisoning. In: SATIN 2012 (2012)
Rescorla, E., Oku, K., Sullivan, N., Wood, C.: Encrypted server name indication for TLS 1.3 draft-ietf-tls-esni-02 (2019). https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-02
Rescorla, E., Oku, K., Sullivan, N., Wood, C.: TLS encrypted client hello draft-ietf-tls-esni-07 (2020). https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-07
Rescorla, E., Oku, K., Sullivan, N., Wood, C.: Encrypted server name indication for TLS 1.3 draft-ietf-tls-esni-05 (2020). https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-05
Filasto, A., Appelbaum, J.: OONI: open observatory of network interference. In: FOCI 2012 (2012)
Fuchs, C., Boersma, K., Albrechtslund, A., Sandoval, M.: Internet and Surveillance: The Challenges of Web 2.0 and Social Media (2011)
Google: JSON API for DNS over HTTPS (DoH). https://developers.google.com/speed/public-dns/docs/dns-over-https (2019)
Hoang, N.P., Niaki, A.A., Borisov, N., Gill, P., Polychronakis, M.: Assessing the privacy benefits of domain name encryption. In: ACM AsiaCCS (2020)
Hoang, N.P., Niaki, A.A., Gill, P., Polychronakis, M.: Domain name encryption is not enough: privacy leakage via IP-based website fingerprinting. In: PoPETs (2021)
Hoang, N., et al.: How great is the great firewall? Measuring China’s DNS Censorship. In: USENIX Security Symposium (2021)
Hoang, N., Niaki, A., Polychronakis, M., Gill, P.: The web is still small after more than a decade. ACM SIGCOMM Comput. Commun. Rev. (2020)
Hoffman, P., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, IETF (2018)
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.: Specification for DNS over Transport Layer Security (TLS). RFC 7858, IETF (2016)
Jin, L., Hao, S., Wang, H., Cotton, C.: Understanding the impact of encrypted DNS on internet censorship. In: Proceedings of the Web Conference 2021, pp. 484–495 (2021)
Jones, B., Ensafi, R., Feamster, N., Paxson, V., Weaver, N.: Ethical concerns for censorship measurement. In: ACM SIGCOMM Workshop on Ethics in Networked Systems Research (2015)
Jones, B., Lee, T.W., Feamster, N., Gill, P.: Automated detection and fingerprinting of censorship block pages. In: ACM Internet Measurement Conference (2014)
Bock, K., Anonymous, I., Merino, L., Fifield, D., Houmansadr, A., Levin, D.: Exposing and circumventing China’s censorship of ESNI (2020). https://geneva.cs.umd.edu/posts/china-censors-esni/esni/
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS (2019)
Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come? In: ACM Internet Measurement Conference (2019)
McManus, P.: Improving DNS privacy in firefox. https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ (2018)
Mi, X., et al.: Resident evil: Understanding residential IP proxy as a dark service. In: IEEE S&P (2019)
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF (1987)
Niaki, A.A., et al.: ICLab: A global, longitudinal internet censorship measurement platform. In: 2020 IEEE SP 2020 (2020)
Niaki, A.A., Hoang, N.P., Gill, P., Houmansadr, A., et al.: Triplet censors: demystifying great firewall’s DNS censorship behavior. In: USENIX FOCI (2020)
Nobori, D.: Virtual ethernet system and tunneling communication with SoftEther. In: The 45th Programming Symposium of Information Processing Society of Japan, pp. 147–158 (2004)
Nobori, D., Shinjo, Y.: VPN gate: a volunteer-organized public vpn relay system with blocking resistance for bypassing government censorship firewalls. In: USENIX NSDI ’14 (2014)
Hoang, N.P., Doreen, S., Polychronakis, M.: Measuring I2P censorship at a global scale. In: USENIX Workshop on Free and Open Communications on the Internet (2019)
Nystrom, M., Hopwood, D., Mikkelsen, J., Wright, T.: Transport Layer Security (TLS) Extensions. RFC 3546, IETF (2003). https://datatracker.ietf.org/doc/html/rfc3546
Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security Symposium (2017)
Procedure to request for logs from the VPN Gate project: Available in Japanese at. https://www.vpngate.net/ja/about_abuse.aspx
Ramesh, R., et al.: Decentralized control: a case study of Russia. In: Network and Distributed System Security Symposium (2020)
Scott, W., Anderson, T., Kohno, T., Krishnamurthy, A.: Satellite: Joint analysis of CDNs and network-level interference. In: USENIX Annual Technical Conference (2016)
Sundara Raman, R., Shenoy, P., Kohls, K., Ensafi, R.: Censored planet: an internet-wide, longitudinal censorship observatory. In: ACM CCS (2020)
Turk, D.: Configuring BGP to block denial-of-service attacks. RFC 3882, IETF (2004)
Wang, Z., Cao, Y., Qian, Z., Song, C., Krishnamurthy, S.: Your state is not mine: a closer look at evading stateful internet censorship. In: ACM Internet Measurement Conference (2017)
Weinberg, Z., Cho, S., Christin, N., Sekar, V., Gill, P.: How to catch when proxies lie: verifying the physical locations of network proxies with active geolocation. ACM IMC (2018)
Acknowledgments
We would like to thank our shepherd, Gareth Tyson, and the anonymous reviewers for their thorough feedback on earlier drafts of this paper. This research was supported in part by the Open Technology Fund under an Information Controls Fellowship. The opinions in this paper are those of the authors and do not necessarily reflect the opinions of the sponsor.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A DoTH Resolvers
Table 4 indexes 71 DoTH resolvers publicly available at the time of our study.
B DNS Tampering Detection
To identify cases of DNS-based network interference, we employ the following well-established consistency heuristics in the literature [24, 42, 48, 51].
Multiple Responses with Different ASes. We receive multiple responses for a DNS query that belong to different ASes. Previous studies have identified cases where on-path filtering systems inject packets carrying false IP addresses that often are publicly routable [8, 29, 43].
NXDomain or Non-routable Address. We receive an NXDomain or non-routable IP in response to a DNS query from a vantage point while receiving a routable address from the majority of vantage points and our control node.
Different Responses from Control and Aggregate. When a vantage point receives a globally routable IP but different from the IP observed at the control node. We first check whether they belong to the same AS. If both IPs are under the same AS, this is due to the use of CDN and/or DNS-based load balancing but not censorship. If the IP observed by the vantage point belongs to an AS which is different from the response AS we observe at the control node and the majority of other vantage points, this behavior indicates DNS interference by a filtering system that aims to redirect the client to a different server (e.g., for displaying blockpages). However, there are also cases in which different ASes are managed by large CDN providers (e.g., Akamai). We look up organization information of those ASes to exclude cases where different response ASes belong to the same organization to avoid false positives.
C AS-Level DoTH Filtering
Table 5 shows the top five countries where most connections to DoTH resolvers were interfered with. The DoTH server names are indexed in Table 4.
D ESNI Prevalence
Over the course of our measurement period, we frequently query for ESNI TXT records of more than 350M domains from TLD zone files [2]. Only 3%–4.5% of domains respond to our ESNI TXT queries. And, only 48–51% of these TXT records have a valid ESNI key format defined in the Internet drafts [21, 23]. Analyzing the key lengths of all ESNI TXT records obtained, we find that the majority of them have 92 characters. These ESNI-supported domains are hosted by Cloudflare, which is the only Internet company supporting ESNI to the best of our knowledge. For domains whose ESNI TXT records that do not have a correct ESNI key format, we find that their authoritative nameservers are configured with a wildcard setup (i.e., *.example.com), thus responding to our ESNI TXT query for _esni.example.com despite not having an actual ESNI key. To that end, only around 1.5%–2.25% of domains on the Internet have ESNI supported.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Hoang, N.P., Polychronakis, M., Gill, P. (2022). Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-98785-5_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-98784-8
Online ISBN: 978-3-030-98785-5
eBook Packages: Computer ScienceComputer Science (R0)